Privilege escalation
Need
Enhancement of role-based access control to prevent unauthorized privilege escalation
Context
- Usage of Terraform for Infrastructure as Code (IaC)
- Usage of AWS SDK for interacting with Amazon Web Services
Description
Non compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_iam_user" "standard_user" {
name = "standard_user"
path = "/"
}
resource "aws_iam_group" "admin_group" {
name = "admin_group"
path = "/"
}
resource "aws_iam_group_membership" "add_user_to_admin_group" {
name = "add_user_to_admin_group"
users = [
aws_iam_user.standard_user.name,
]
group = aws_iam_group.admin_group.name
}
The above Terraform code for AWS infrastructure has a critical security vulnerability that could lead to a privilege escalation attack.
The vulnerability lies in the way the IAM user and group are configured. The "aws_iam_user" resource creates a user with the name "standard_user". This user is meant to have standard privileges and should not have administrative access.
However, the "aws_iam_group" resource creates a group with the name "admin_group". This group is meant for users with administrative privileges.
The critical part is the "aws_iam_group_membership" resource. This resource adds the "standard_user" to the "admin_group". This means that even though "standard_user" should only have standard privileges, they are given administrative privileges because they are part of the "admin_group".
This insecure role configuration allows any user with access to the "standard_user" account to potentially obtain administrative access or privileges, which could lead to unauthorized actions, data breaches, or other security incidents.
Steps
- Implement the principle of least privilege by assigning only the necessary permissions to each user or role.
- Avoid using default or overly permissive IAM roles.
- Regularly review and audit IAM roles and permissions to ensure they are still necessary and appropriate.
- Enable multi-factor authentication (MFA) for privileged accounts.
- Implement strong password policies and enforce regular password rotation.
- Implement secure access controls and restrict access to sensitive resources.
- Implement proper logging and monitoring to detect and respond to any unauthorized access attempts.
- Regularly update and patch the infrastructure components to protect against known vulnerabilities.
- Educate users on best practices for security and the importance of protecting their credentials.
- Implement a robust identity and access management (IAM) solution to manage user roles and permissions.
Compliant code
provider "aws" {
region = "us-west-2"
}
resource "aws_iam_user" "standard_user" {
name = "standard_user"
path = "/"
}
resource "aws_iam_group" "standard_group" {
name = "standard_group"
path = "/"
}
resource "aws_iam_group_membership" "add_user_to_standard_group" {
name = "add_user_to_standard_group"
users = [
aws_iam_user.standard_user.name,
]
group = aws_iam_group.standard_group.name
}
resource "aws_iam_policy" "standard_user_policy" {
name = "standard_user_policy"
path = "/"
description = "IAM policy for restricting standard user access"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
}
]
}
EOF
}
resource "aws_iam_policy_attachment" "attach_standard_user_policy" {
name = "attach_standard_user_policy"
roles = [aws_iam_group.standard_group.name]
policy_arn = aws_iam_policy.standard_user_policy.arn
}
The original code was vulnerable to privilege escalation because it added a standard user to the admin group, effectively granting them administrative privileges.
The fixed code creates a new group called "standard_group" and adds the standard user to this group instead. This group is then associated with a policy that only allows the necessary permissions for a standard user, implementing the principle of least privilege.
The policy allows the standard user to describe EC2 instances but does not grant any other permissions. This ensures that the user cannot perform any actions that they should not be able to, such as modifying or deleting resources.
This fix also involves creating a new IAM policy and attaching it to the standard group. This policy restricts the actions that the standard user can perform, further reducing the risk of privilege escalation.
Remember to regularly review and audit IAM roles and permissions to ensure they are still necessary and appropriate. Enable multi-factor authentication (MFA) for privileged accounts and implement strong password policies. Regularly update and patch the infrastructure components to protect against known vulnerabilities.